The growing threat of the Internet of Things is quickly becoming a reality as new attack methods emerge. Expert Nick Lewis explains how to address and prevent IoT security threats.

In the past, static connections for networks were first reserved for a limited number of expensive computers, and then eventually made their way to desktop enterprises, users' homes, mobile devices and now, finally, a plethora of IoT devices.

Significant resources were devoted to connecting computers to static networks in the past, but these resources have dwindled in the age of Internet of Things. The minimal resources devoted to connecting these devices to networks has resulted in even fewer resources spent to prevent IoT security threats.

If enterprises haven't been affected by IoT attacks already, they're something that should be on their to-address lists. IoT attacks are inevitably coming, so it is important to learn how best to prevent or defend against them before it's too late.

Understanding the growing number of IoT security threats

If manufacturers and engineers add new technical capabilities to connect their devices to networks for the first time and have not yet learned the hard lessons encountered by more experienced developers, they will inevitably make the same mistakes as their predecessors -- like assuming a network is trusted -- when designing their products, and not plan for security incidents.

While there is little enterprises can do to prevent the security risks resulting from poor manufacturing, evaluating the published software development practices is key to understanding how information security is included in a manufacturer's software development processes. It may even be a good sign if the manufacturer outsourced the part of hooking the device to the network, it would mean there might be a better chance that an experienced software developer using secure development practices did the job right.

If an IoT device needs to be directly accessible over the Internet, it should be segmented into its own network and have network access restricted.

It's therefore also important to note that IoT devices are exposed to the same attacks as other Internet-connected devices -- such as denial-of-service attacks or default accounts with default passwords -- and enterprises may have already encountered such issues. While their attack surface may be smaller than a traditional desktop or server, when all IoT devices are added together, even minor security issues will turn into significant problems, much like the issues encountered in the past with printers or SCADA devices connecting to networks.

One major IoT attack disclosed recently was found by Akamai Technologies Inc. Researchers reported distributed denial-of-service (DDoS) attacks that started using insecure IoT device configurations. More specifically, attackers identified how the Simple Service Discovery Protocol (SSDP) can be abused to amplify malicious responses to spoofed IP traffic to participate in DDoS attacks. Researchers noted attackers target network ranges in their scanning and send SSDP search requests to identify IoT devices; the response traffic is then sent to the target network as part of the DDoS attack.

How to prevent and defend against IoT security threats, attacks

On one hand, enterprises should be sure to secure SSDP use. SSDP usage should be limited to specific networks and rate limited to minimize the traffic it can generate under an attack. Enterprises may also want to scan their network (similar to how the Shadowserver Project scans the Internet) to look for insecurely configured devices. If such devices are found, SSDP could be disabled or limited to an approved network. The device may also need an OS or software update to patch any SSDP vulnerabilities.

On the other hand, enterprises must also know how to defend against basic DDoS attacks. This has been covered in-depth on SearchSecurity.com; DDoS plans should either be in development or already be in place at an enterprise.

However, defending against an IoT-related DDoS attack requires some additional steps. First, strong Internet border protection must only allow approved inbound network connections. If IoT devices cannot be reached directly over the Internet, it is much more difficult to get them to participate in a DDoS attack. If an IoT device needs to be directly accessible over the Internet, it should be segmented into its own network and have network access restricted. This network segment should then be monitored to identify potential anomalous traffic, and action should be taken if there is a problem.

Enterprises can detect IoT devices on their networks through routine asset management or vulnerability scans. Any new device that doesn't match a known enterprise device profile could potentially be isolated and have its traffic redirected to a registration portal or network management system that automatically checks device security. This also could result in the device being placed in its own network segment.

Those developing IoT devices should certainly devote more resources to secure development. This includes putting security in device design and configuration. This could potentially result in secure devices by default shipping from vendors, possibly avoiding IoT DDoS security issues altogether. However, as convenience, usability and speed are often more important factors to developers than security, achieving this is likely a pipe dream.

Enterprises and ISPs should also advocate for the adoption of the Internet Engineering Task Force's Best Current Practice 38. BCP38 specifically drops spoofed IP traffic, which will help prevent an unwitting device from participating in a DDoS attack. If an attacker can't send spoofed traffic to the device, the device can't send the network traffic used for the DDoS.

The future of IoT security threats

The Internet of Things offers significant benefits to businesses and individuals alike, and its advancement will unlikely be slowed by security issues, such as those discussed in this article.

Many of the devices connecting to networks via IoT have little legacy technical debt for their network connections. With these new devices should come new secure-by-default designs and configurations built on top of a secure-by-default operating system where only the core operating functionality for the device is enabled and secured. New and current developers should address these security challenges in the design of their devices to prevent future security incidents.

However, until that is done, it is up to users and enterprises to take the necessary precautions and put the proper controls in place to mitigate potential IoT security threats.

About the author:Nick Lewis, CISSP, is a program manager for the Trust and Identity in Education and Research initiative at Internet2, and previously was an information security officer at Saint Louis University. Lewis received Master of Science degrees in information assurance from Norwich University in 2005 and in telecommunications from Michigan State University in 2002.

Join the conversation

6 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

I checked here in the hopes of finding an answer instead of a blank page. Too bad. Like most, we're mostly in the dark, bolstering the usual fire walls and safety protocols while waiting for the unknown future. We're facing nearly inconceivable, totally unprecedented changes and connections. We plan to proceed with caution.

We are in the process of preparing, which at this time means getting our house in order - determining where our network boundaries are and what currently resides within that boundary, what each device is doing, etc. We’re also starting to assess current security practices and harden areas deemed especially vulnerable. Still, the threats are still largely unknown and, as @ncberns mentioned, the best preparation is adopt slowly and proceed with caution.

I think that anyone who says their organization is fully prepared is a bit overconfident, given that there are a lot of unknowns out there. While it's important to take as many steps as possible now, there also needs to be some recognition that we don't know what threats will come yet.

That’s a good point, Ben. One of the bigger issues I see with IoT security is that reduced barriers to entry will enable the proliferation of devices with weak security. I don’t see this coming as a threat so much from the sensors and other devices that don’t know what else is out there, but more from devices that are connection-aware and integrate with other IoT connection-aware devices, at which point I think it really becomes a case of you’re only as strong as your weakest link.